2000023

	IP source route end
advICE :Intrusions : 2000023

FAQ

Oh my gosh, I'm being HACKED!!!

How do I report the hacker to my ISP?

I'm seeing lots of attacks, is this normal?

Summary
The tail end of a source routed packet has been seen on the wire.
Details
The "source routing" feature of TCP/IP allows the sender of network traffic to force the traffic to be routed through a certain point on the network. This is useful because it allows intruders to force packets to travel in unexpected directions.
For example, many organizations and home users use private addresses like 192.168.x.x. These addresses are not normally reachable on the Internet, yet intruders can still reach them by source routing through a machine that supports source routing.
Due to the dangers of source routing, it is normally disabled within machines.
False Positives
Some network management utilities employ source routing in order to map the network. You can set "trust" levels on the intrusion detection system in order to mask these events from those platforms.
Defense
Most systems allow source routing to be disabled. Follow the links below in order to implement this on your routers and end-nodes.

more information

BugtraqID: 646 Microsoft Windows IP Source Routing Vulnerability
advICE: source routing: Explains the technical details behind source routing and how it can be used to attack the system.
q238453 Data in Route Pointer Field Can Bypass Source Routing Disable: Describes a problem where an intruder can reach one interface on a machine by sending traffic to another interface using source routing. This applies even when "routing" is turned off.
Microsoft Security Bulletin (MS99-038): FAQ: Some questions/answers about this problem.
NAI Advisory: 034 Windows IP Source Routing Vulnerability

parametric information

route The route is shown in the parameter field. It is likely that the attacker is one of the machines specified in that route.

 
Version appeared:

IP source route end